They admit it was either a misread of data or data somehow changed after assessment.

Share this story

Researchers who claimed they found a link between the Internet addresses used as part of malware that attacked Freedom Hosting's "hidden service" websites last week and the National Security Agency (NSA) have backed off substantially from their original assertions. After the findings were criticized by others who analyzed Domain Name System (DNS) and American Registry for Internet Numbers (ARIN) data associated with the addresses in question, Baneki Privacy Labs and Cryptocloud admitted that analysis of the ownership of the IP addresses was flawed. However, they believe the data that they used to make the connection between the address and the NSA may have changed between their first observation.

"We know that those ARIN records that appeared to show the torsploit IP addresses (65.222.202.53 and 65.222.202.54) as being directly allocated to [defense contractor] SAIC are inaccurate," the researchers said in a joint post to Cryptocloud's discussion forum. "Or, rather, the popular analytics resource domaintools.com uses an old (ca. 1993) method for interpolating individual IP ownership ('assignment' is a better term, really, but it's a bit clunky). That old method, all evidence suggests, doesn't give accurate information about the two torsploit IPs in question." They added the qualification that "perhaps the SAIC connection was genuine and it's been cleverly 'scrubbed' on the fly. If so, we lack the analytic capabilities to ferret it out and it'll have to be someone other than us to catch the snowflakes and, from them, reconstruct the storm."

As for the attribution of the IP address to the NSA, the researchers reviewing data from Robtex early August 5 on the address block had the same conclusions. "All of us agreed... the block of IPs covering 65.192.0.0/11 to 65.222.202.53 'rolled up' directly to nsa.gov... at least according to robtex." That assessment isn't supported by current data in Robtex.

This, the researchers said, means one of two things. The first possibility, the researchers admit, is that "we simply read the robtex report wrong early Monday morning—all of us." The second is that the data somehow changed between early Monday morning and noon, when Wired's Kevin Poulson and others started looking at the data and questioning the researchers' assessments.

Lacking a screenshot or any other physical evidence of the latter, the first option is most likely. And even if the initial SAIC address correlation was correct, the connection to the NSA is still highly questionable. SAIC does work for many federal agencies—including the FBI, to which the company provides a broad range of "cybersecurity products and services" under the $30 billion, eight-year Information Technology Supplies and Support Services (ITSSS) contract awarded to SAIC and a collection of other IT companies in 2010. Ars has previously reported on the FBI's efforts to use malware in its investigations, like the warrant request denied in March of this year to install remote administration tool malware on the computer of a suspect.

Share this story

Sean Gallagher
Sean is Ars Technica's IT and National Security Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland. Emailsean.gallagher@arstechnica.com//Twitter@thepacketrat

"We know that those ARIN records that appeared to show the torsploit IP addresses (65.222.202.53 and 65.222.202.54) as being directly allocated to [defense contractor] SAIC are inaccurate," the researchers said in a joint post to Cryptocloud's discussion forum. "Or, rather, the popular analytics resource domaintools.com uses an old (ca. 1993) method for interpolating individual IP ownership ('assignment' is a better term, really, but it's a bit clunky). That old method, all evidence suggests, doesn't give accurate information about the two torsploit IPs in question."

Read: "All evidence" suggests that domaintools.com returns wrong information, but we used it anyway to make spectacular claims. "Can't blame us".

Quote:

They added the qualification that "perhaps the SAIC connection was genuine and it's been cleverly 'scrubbed' on the fly. If so, we lack the analytic capabilities to ferret it out and it'll have to be someone other than us to catch the snowflakes and, from them, reconstruct the storm."

Read: We made something up for lack of evidence, but maybe it is true anyway. And even if evidence shows we are wrong, maybe that is fake evidence and we were right anyway. Can't blame us for our gut-feelings.

With the amount of double-speak, maybe these "researchers" should be working for the government.

Is anyone surprised? Its now the in thing to beat the NSA down. So its now a scramble to find something....anything to be the front page news. Facts and truth don't matter as long as you can make a claim. As an example. I'm certain someone from the NSA was planting a bug in my socks drawer last night. I can't find anything but with nanotech I'm certain its there somewhere.

Is anyone surprised? Its now the in thing to beat the NSA down. So its now a scramble to find something....anything to be the front page news. Facts and truth don't matter as long as you can make a claim. As an example. I'm certain someone from the NSA was planting a bug in my socks drawer last night. I can't find anything but with nanotech I'm certain its there somewhere.

sorry but that would never make the front page, no one cares about you per se.

This is why auditors and security folks ALWAYS take screenshots and log the crap out of what we do. One of the key tenets of auditing in general (which certainly extends to any forensic examination of any kind) is that "If you can't prove it? You can't say it."

It ilso seems pretty likely that they misread the documentation. After all, if the researches *HAD* taken screenshots (which would have been expected by the NSA or any other three-letter-acronym group), then changing the records would have been an admission of guilt. I strongly doubt they would have risked it.

I don't see these researchers as head line hogs. I would tend to believe their claims as good faith. The NSA, not so much as the book of true tales and other lies that is laid at their door step is very large and has more than a modicum of historical truth to it. Is it beyond the pale to expect an organization that has used technology to infect, exploit and sabotage foreign entities to do the same or similar to those who would embarrass the NSA? I would expect someone somewhere to have the needed exculpatory info and that it will come out.

I don't see these researchers as head line hogs. I would tend to believe their claims as good faith. The NSA, not so much as the book of true tales and other lies that is laid at their door step is very large and has more than a modicum of historical truth to it. Is it beyond the pale to expect an organization that has used technology to infect, exploit and sabotage foreign entities to do the same or similar to those who would embarrass the NSA? I would expect someone somewhere to have the needed exculpatory info and that it will come out.

They might be making their claims in good faith. The problem is that if as researchers they see what they were hoping to see, and don't document what they actually saw, then when nobody can replicate their results they've got nothin'. This is of course not unique to computer forensics research.

But then someone at NSA called someone at Cryptocloud and "reminded" him about that "business trip" in 2010 and the female "consultant,"--what was her name again, "Boom-boom" or something like that--and wouldn't it be terrible if something like that were to become public. With all the notoriety this story was getting, well, it was likely that "someone" would dig that up.Wouldn't that be awful for the wife--and kids?

We're in Jason Bourne territory at this point, I know. But--well--look who you're dealing with here.

So, these "researchers" didn't bother to make a record of what their most important piece of supporting evidence? I would think that they might, say, want proof to present alongside their argument. How well would it go over if a physicist gave a presentation arguing that a new particle was found, but didn't put in any charts from the accelerator data. During the talk they just said "Well, I looked at the data on Monday on my computer, and trust me, there was a resonance in the plot. I was too tired to put in in the slides." I think these guys just blew a career's worth of credibility.

From the second this hit the media is screamed t me FBI. NSA doesn't seem to dabble in busting pedo's FBI however that's a huge deal to them. We've all seen swordfish and know that the FBI has surveillance tools too. I'm fairly certain they've even been outspoken about the frustrations of criminals using Tor and encryption to try and hide so why would they not try and make a strike at it when they saw a chance.

I was always suspicious of the idea that the NSA would be effectively performing a sting operation using an ip address that resolved to nsa.gov (or whatever the official DNS entry is). It would be the equivalent of the FBI using a surveillance van with the name of a generic utility company on the sides, but had federal government license plates on the front and back.

If I was heading a multi national spy agency project, which I'm not, I don't imagine I'd register the DNS under my agency's name. Keep in mind it was not incompetence with technology that brought these programs to light but rather a person with an agenda (regardless if you view that agenda as good or bad).

I was always suspicious of the idea that the NSA would be effectively performing a sting operation using an ip address that resolved to nsa.gov (or whatever the official DNS entry is). It would be the equivalent of the FBI using a surveillance van with the name of a generic utility company on the sides, but had federal government license plates on the front and back.

The NSA could be counting on the general population's ignorance, which seems to be the popular stance these days.

According to ARIN the 65.192.0.0 - 65.223.255.255 block has been allocated to MCI/Verizon since 2000 and updated back in March, 2012. No other changes in ARIN database for that net block has been logged. Trying to find a domain registration assigned to 65.222.202.54 or 55 returns NXDOMAIN (no record).

You'd have to contact Verizon to actually find out who they assigned those two specific addresses to and I wouldn't bet on them being forthcoming without a verifiable court order to do so. Even if it did trace back to a defense or security related vendor there's no evidence to support any accusations, everything else is speculation. It could simply be a security research project that was accidentally released, or stolen. Yes, that's speculation, too! Without real proof in the manner of a documented smoking gun, everything else is a conspiracy theory.

It seems to me that the 'security researchers' claiming to have traced this IP address to defense contractor SAIC 1) have no proof to support their claim, 2) would unlikely to get Verizon to verify who their customer is using those two addresses on the dates in question.

Once an address block is assigned or allocated by ARIN, they are no longer the authoritative resource for what address is allocated to which customer., that is controlled by the assigned/allocated party and may or may not be reported back to ARIN. Someone with more knowledge about the allocation rules may correct me but I don't know of any rules that say Verizon has to tell ARIN which customers are assigned to it's addresses at any specific point in time.

Really? That's the conclusion you're going to go with? That they all misread the report the same way?

You find that situation more plausible than the government using its leverage to clean up a loose end? I'm going to assume you're being sarcastic.

I think it's a lot more likely they read what they *wanted* to read out of the report. All it takes is for one of them to make the guess or the assertion, and it becomes a lot easier to join the bandwagon and confirm the 'finding'. Especially if it involves the NSA snooping where they shouldn't.

Somebody stole my juicebox out of my lunch bag today, and I'm pretty sure it was the NSA. Assuming I didn't forget to pack it.

I'm not even particularly against this attack. At least its targeted, already one up on their usual activities, but what does it matter which organization did it?

They are all the same entity, the US Government.

I agree with part of your sentiment. People complain when collections are overly broad, and people complain when they are targeted. If you don't know who is creating child porn, and you don't know where they are due to TOR, then what do you do? It seems they targeted specific people, and exploited their browser to get their true IP address. It's better than going up on everyone. So I would say this is a step in the right direction.

Really? That's the conclusion you're going to go with? That they all misread the report the same way?

You find that situation more plausible than the government using its leverage to clean up a loose end? I'm going to assume you're being sarcastic.

The only 'conclusions' to be drawn from the available evidence in this case are that TOR's system was discovered to have a vulnerability. TOR project subsequently issued a warning and a fix, plus mitigation advice for further potential problems. The reporting addresses for the exploit code in question are somewhere in Verizon's allocation block. Everything else is speculation.

Right now doing a traceroute out to 200 hops on 65.222.202.54 shows a routing loop inside alter.net which makes it essentially unroutable from the outside world. (152.179.222.225 -> 152.179.222.226 -> 152.179.222.225)

*Could* the researchers in question be acting in good faith and merely screwed up in collecting evidence? Yes. But, there's still no proof of their accusations. Without proof it may as well be another conspiracy theory. Their results can't be verified by other researchers. Peer review is an important process in forensics validation.

Unless someone comes forward with documentary proof that the NSA/FBI/DIA/little green men from mars/PLA/Mossad/(insert current whipping boy) contracted out the TOR exploit, we have nothing to go on. That may change in the future, but for now, that's where things stand.

I was always suspicious of the idea that the NSA would be effectively performing a sting operation using an ip address that resolved to nsa.gov (or whatever the official DNS entry is). It would be the equivalent of the FBI using a surveillance van with the name of a generic utility company on the sides, but had federal government license plates on the front and back.

So the addresses go back to Verizon, tracert can't trace it as it goes into alternet. No NX record, but it is a "live" address targeted by an exploit: I'd say that is damn near confirmation of some "spook" involvement. Who else has the means, motivation, and the weight to make it work like this ? There ain't a tinfoil hat big enough for this story.

If you want to believe that breaking down highly secretive communications links that (were) almost untrackable isn't a key target for almost every government funded spy outfit, then I have this bridge that you may have an interest in purchasing...

I have to say, I appreciate the follow-up from Ars on this. As more than a few people (including me) suggested in the original story, there wasn't really much there to support the conclusion the researchers made. Continuing to try to figure out what's actually going on instead of sticking with the juicier story is one of the reasons I tend to like Ars coverage.

FBI, NSA, who cares?I'm not even particularly against this attack. At least its targeted, already one up on their usual activities, but what does it matter which organization did it?They are all the same entity, the US Government.

I agree with part of your sentiment. People complain when collections are overly broad, and people complain when they are targeted. If you don't know who is creating child porn, and you don't know where they are due to TOR, then what do you do? It seems they targeted specific people, and exploited their browser to get their true IP address. It's better than going up on everyone. So I would say this is a step in the right direction.

Except breaking the law to enforce the law is illegal in the USA. Good for the goose and all that. If hacking is illegal and the Government prosecutes hackers, why should a democratic government get away with hacking? I know I know, to get the ___________ (put latest demonized group here). If you cannot do good 'ol fashion police work and find criminals doing criminal things, then you are in the wrong business.

This is why auditors and security folks ALWAYS take screenshots and log the crap out of what we do. One of the key tenets of auditing in general (which certainly extends to any forensic examination of any kind) is that "If you can't prove it? You can't say it."

You're absolutely right.

I was the lead in doing this work Monday morning, and it falls squarely on my shoulders that I don't have a screenshot of these data from the time when we decided to go public. No amount of two-stepping would square that circle, and besides nobody on our side of things has made such an effort. Not worth the hassle, frankly.

That said... (isn't there always a "that said," eh?) we're not professional forensic researchers and we've not presented ourselves as such. Nobody on our team (however loosely we may define "team" here) is a forensic specialist. Indeed, we spent a good chunk of Monday pestering real, bona-fide forensic folks so they could fact-check our work and expand the analysis with their expertise. Heck, on Monday morning the Cryptocloud folks were publicly stating they weren't qualified to do a drill-down analysis of these IPs.

So why did we go public with our findings - and then open those findings to the widest possible peer review? That's actually pretty easy to answer, as it wasn't a complex decision: nobody else was seriously poking at the forensics on the torsploit IPs. Which is to say, nobody was doing so in a publicly visible way - or, if they were, we were too dumb to find them in a timely manner (always possible).

As time went by, and the impact of the torsploit attack continued to echo and resonate deeper into the whateververse, we sat and waited for the proverbial Big Dog to produce a big, thick, heavily-referenced analysis of the IPs: that's the meat of things. We waited, and we waited...

Finally, we poked some malware folks we know and asked them what they had to say about the IP - after all, they do this sort of thing all the time, since this is malware top to bottom. However, none of the ones we asked were willing to say anything public about this one... because it's _government_ malware, which is sort of a different category, apparently, in their epistemology (we're making assumptions here, I know).

And here's the thing: we went public with our best analysis at the time, citing the data we used to make it. Then we asked others to poke it with a sharp stick - forensics folks, in particular. Either it'd stand up and salute, or they'd take our research (or "research," if you're looking at it from their perspective) and say to themselves "bloody amateurs... here's how it's done."

Mission accomplished, mission being intensive analysis of the IPs by the best publicly-available forensic experts in the business. Which, again, isn't Baneki Privacy Labs (which is, after all, a nonprofit collective of tech folks who donate time and effort to projects as the spirit moves them; budget? Zero - easy to track :-P ).

That's not to say that we just threw a shit paddy at the wall to make a scene, figuring "oh, this'll flush the real experts out." That'd be clever in a sort of amoral sense... but we're just not that clever, alas. We published the best data we had, which amounts to amateur work compared to the heavy forensics folks. But, again, the heavy forensic folks were holding fire all weekend. Why? We really don't know, but it's unusual - usually, something interesting happens and the big dogs are all over it, before we can even hit "compose reply." That's how it goes - we soak up the wisdom, like everyone else.

This time, everyone just kept saying FBI, FBI - because they're the ones pushing for the single extradition case for "facilitating" (which is as Orwellian as the sky is blue, fwiw). All that was being said about this enigmatic, hard-coded (!!! ...I mean, wtf - that's not usual in malware, even we know that; see also: fast flux, etc., etc.) was that it "appeared to be U.S. law enforcement." Well, yeah - and the ocean appears to be wet. That's not much of a characterization, is it?

This isn't a dark, bitter criticism of the "security industry" or something - sorry, we're just not into that kind of thing. Instead, it's the direct result of the structural mash-up that torsploit represents. As I've written elswhere, it's two great tastes that (don't?) taste great together: offensive malware/TAO-style attack tactics, and standard LEO-style "take down the datacentre and brute force or threaten your way into /root." Our working theory is that it falls into a bit of a blind spot, in some respects, because the specialists in the "security community" tend to line up in one or the other stovepipe; thus, an attack that blends the two shamelessly presents something of a conundrum.

We're, if anything, experts in conundrum - that is, most of our folks have multidisciplinary/diverse/spastic career backgrounds. We're good at stuff that's betwixt and between, if we're good at anything (remains to be seen). So it was that we put our appendage on the table, Monday morning - somebody had to do it.

Alas, not screenshotting isn't anything so exotic. I just didn't do it - didn't think it was relevant until it was far too late to realize how relevant it might be. Duh - always obvious in hindsight.

Quote:

It ilso seems pretty likely that they misread the documentation. After all, if the researches *HAD* taken screenshots (which would have been expected by the NSA or any other three-letter-acronym group), then changing the records would have been an admission of guilt. I strongly doubt they would have risked it.

That's an interesting point, but I'll counter with a bit more brass-tacks experience in government disinformation. It works, basically. Even if it's caught red-handed, the benefit still retains a big percentage of its not-caught value. Poison the well, and taking the poison back out is really, really hard. So even if, now, a screenshot appears that absolutely demonstrates the torsploit IPs were NSA on Sunday but then suddenly, well, basically nobody's on Monday... would it gain traction? It'd just be part of the debate - not profoundly dispositive. Maybe the screenshot was faked? Jason Bourne territory, indeed.

For what it's worth, as a team Baneki is (polling folks, arguing, discussing) 95% sure there's something deeply fishy about those IPs, the records underlying them, and their relationship to "normal" IPs (which is a squishy category, of course). That's just based on our collective, intensive work on this - and ingestion of big chunks of work done by others, many much smarter than any of us. If you poke any of us, individually, with a sharp stick we'll each admit, yeah, that fishy smell just isn't gone. At all. Is that proof of anything macro? Obviously not. But we're keenly awaiting further developments, let's put it that way - this whole thing is curiosity catnip for us, frankly. It's fascinating.

Then again, people who expect to see ghosts are far more likely to "see" the ghosts they expect. We get that... but, damn, look at that ghost!

And, lest we forget, the fact that the NSA has been recently caught doing whole libraries full of bad stuff - stuff they've denied, flat-out, in public, under oath for years - sort of does colour one's vision... all of our vision. Which, at a meta level, might be the point: we don't trust the NSA - anyone who does is, frankly, a credulous idiot at this point. So when their fingerprints - however vague - show up someplace, everyone jumps like they've seen a real, live ghost.. because this ghost really has been haunting houses, and countries, and networks for quite some time.

Turns out there was something nasty under the bed all along - now, who wants to bet on whether the closet is safe?